T-Mobile on Friday announced roughly 6 million additional accounts had data swiped in a recent hack, bringing the total number of victims of the breach to over approximately 55 million individuals.
The revelations come as lawmakers have ramped up scrutiny of the company.
An additional 5.3 million subscriber accounts had addresses, names, dates of birth, and phone numbers accessed, T-Mobile said. The company also found that the data of 667,000 more accounts of former T-Mobile customers, including their names, phone numbers, addresses and dates of birth, had been accessed.
Unlike the first set of customers identified by T-Mobile on Wednesday, none of these additional accounts had their Social Security Numbers or ID information compromised, the company said.
The new findings also reveal that phone data, IMEI and IMSIs were also accessed. IMEIs, which are often used for advertising purposes, are a unique fingerprint for a device that cannot be reset.
The company also noted that up to 52,000 prepaid Metro by T-Mobile accounts may have also been included in the attack. T-Mobile has actively re-sent customer PINs for all prepaid accounts accessed by the hacker. No data from the company’s other prepaid services have been found in the breach.
T-Mobile announced it was investigating the breach on Monday after reports that a hacker had put the stolen data up for sale on the dark web. The hacker claimed to have stolen the account information of more than 100 million accounts.
The breach, the fifth the company has suffered since 2018, has sparked fury from lawmakers and fueled interest on the Hill for more aggressive privacy and data breach notification laws.
“This breach is yet another example of why Congress must pass a national privacy and data security law,” Republicans on the House Energy and Commerce Committee, led by ranking member Rep. Cathy McMorris Rodgers of Washington, wrote in a statement. “We need strong national standards that ensure industries can innovate, strengthen cybersecurity and data privacy, and keep up with the evolving ways bad actors steal personal information.”
The company is also facing a class-action lawsuit requesting unspecified damages and a court order prohibiting the company from keeping personal information on a cloud database, as Motherboard reported.
T-Mobile has expressed confidence that the company has shut off the access point the hacker used to get into its servers.
“Our investigation is ongoing and will continue for some time, but at this point, we are confident that we have closed off the access and egress points the bad actor used in the attack,” T-Mobile stated in its most recent announcement.
Updated 8/20/21: to include information about a lawsuit.